The Web of Trust: Of Names and Routes and Being Connected

We’re on the Internet! We’re on the Internet?

What does it mean to “be on the Internet?”

It’s a serious question. Internet connectivity is absolutely fundamental to much of our modern lives. So much of our society and economy depends on being online, but what are the actual criteria?

At various points in my career path, this was actually a favorite question of mine for tech interviews. Here, though, I’ll give the punch line, or at least my own answer to the question, up front. While there are plenty of ways to deliver network services, ranging from wireless to 10G fibre-to-the-premises to X.25 over barbed wire and everything in between, just because the green link light is on doesn’t mean you can get to the rest of the world.

I propose that there are two vital conditions that make the difference between a connection to some network and a connection to the global Internet and all the services associated with it:

  1. You are able to resolve DNS information for the Internet service that you want to reach.
  2. The network you’re connected to has a path to the Internet service that you want to reach.

Let me explain those two, why they make my “required” list, and why it matters for security.

What’s in a name?

I’ll start with domain names. Some of you may be saying “hold on there, Brian; I can reach things by IP address directly, too. Is DNS really required?”

In the modern Internet, I’m going to go with “yes”.? In a simpler age, you might have been able to think of a domain name (more precisely, an A record) and an IP address as functionally equivalent ways of referring to the same host, but that hasn’t necessarily been true for a very long time now. Multiple services can be homed on the same IP address, and there are things like DNS-based load balancing to contend with, and cloud-hosted services, and digital certificate identities, and so on.

So yeah, in the Internet of today, if you don’t have functioning DNS, it’s not too different from not being connected at all.? Everything uses DNS.

Just by the way, that includes the bad guys, too.? Domain names are part of the attacker’s critical infrastructure, and that’s why DNS-based security controls really need to be part of the defender’s toolkit.

But there are more security implications to this critical DNS dependency than just policy-based blocking and tackling. I don’t want to turn this into a long-winded dissertation on the process of name resolution, but just consider how many different things we’re relying on whenever we do a name lookup.

  • We trust that our list of root nameservers (the hints file) is correct.
  • We trust that the root, and every other server in the chain, is correct and uncompromised.
  • We trust that the responses we get back to our queries have not been manipulated.
  • In most cases, the system we’re using isn’t even doing the resolution itself; it’s relying on the configured nameserver(s), which we trust to return the correct answer.
  • And finally, we trust that the various caches that may be present at every stage of the process have not been corrupted.

In fact, the various security and trust aspects of just the root zone itself could be an article all by itself. The global domain name system is a truly amazing work of engineering: a globally distributed database with no database administrator ... or with thousands of them, depending on how you look at it. Everything about the way we use the Internet depends on it, and most of the time it works so well and so quickly that we don’t even think about it. But there’s also a lot of implicit trust in that process.

Let’s assume, though, that we’ve gotten the correct info from DNS to reach the service we’re trying to use. The other really important part is that we’re able to route packets there and back again.

How do we get there from here?

It would be no fun to look up services in DNS if we couldn’t then communicate with them, so the other thing we need for our Internet connection is the ability to have our packets routed to the service, and the replies routed back to us. The first couple of hops on our way from here to there will probably follow a default route, good old 0.0.0.0/0 in IPv4 terms. I’ll call this the “easy” part (even though some of the networks could be quite complex, internally).

The other part … well, what do we call it? If I call it the Internet “backbone” or “core”, then no matter what definition I choose, someone will certainly be able to supply very good reasons why my definition is wrong. So I’ll simply call it the default-free part of the path. For our packets to successfully traverse this part of the Internet, we’re dependent on actually having routing tables with a route to the desired network, and that route almost always will get there using BGP.

Again, I’ll try to avoid turning this into a condensed version of a Fundamentals of Networking class (or CCNA-1 or Network+ or what-have-you). For our security and trust focus, what matters is how those routes got into the tables of the various routers that are forwarding our traffic.

And how did they get there? Well, someone announced that they had a connection to the network in question, and their BGP peers believed them. That’s it. How is that information validated? Well … it isn’t, really. While there are plenty of things that you can (and should) do to secure BGP, trusting your peers (and by extension, their peers, and so on) is deeply embedded in the design of the protocol.

Over the years, there have been plenty of examples of false route announcements getting injected, both accidentally and not-quite-so-accidentally. Much of the validation actually happens at layer 8 and above in the 7-layer network stack: the community of BGP operators is a relatively small one, and an attentive one. Screwing up your BGP configs in a way that your neighbors notice is a quick path to a kind of notoriety that you really don’t want.

Let’s make this concrete. If you’re reading this post, it’s probably because your web browser was able to resolve www.dhirubhai.net to an IP address (13.107.42.14 as I type this), and your network connection is able to get packets to and from that address.

Along the way, we needed the DNS root to tell us how to find the .com gTLD servers. We needed the TLD nameservers to tell us who’s authoritative for linkedin.com. In my quick little dig test while writing this, that then turned into two CNAME records before we landed on an A record in Microsoft’s network infrastructure (since Microsoft acquired LinkedIn). We then pushed a TCP packet out the door, with a destination IP of 13.107.42.14, to start setting up our HTTPS connection.? Several routing hops later, following what each hop thought was the best path to the network (NET-13-64-0-0-1 according to ARIN’s whois service) as announced by the autonomous system that is home to that network (Microsoft’s AS 8068 according to Verizon’s looking glass service).

That’s a lot of things to trust along the way. Not only that, it may not even be clear who manages many (or most) of the things we’re trusting. In fact, the closer you look, the more amazing it may seem that this whole “global Internet” thing works at all.

But it does. Every day. Almost always. DNS and BGP have both been around for quite a long while, with the original BGP RFC 1105 published in June 1989 and DNS even older (the oldest specification is RFC 882 from November 1983). Those two workhorses are truly what makes the Internet work. There are even areas, like anycast routing, where my two criteria of DNS and BGP interact with each other.

Now, if we want to communicate securely, it’s pretty obvious that we can’t depend just on the network infrastructure we’ve described here. We’ll need something that was design with security in mind, something that gives us some assurance that we’re actually talking to the party that we think we are.

That, however, is a topic for another day.

A selection of further reading

Nice breakdown of which MITRE ATT&CK techniques use DNS: https://blogs.infoblox.com/security/mitre-attck-and-dns/

Example of a DNS service that leverages BGP anycast routing: https://umbrella.cisco.com/blog/why-the-cisco-umbrella-global-network-uses-anycast-routing

BGP security best practices: https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/ctr-guide-to-border-gateway-protocol-best-practices.pdf

An article from 2015 on BGP security: https://www.networkcomputing.com/wan-networks/bgp-security-no-quick-fix (guess how much of it is still true, almost a decade later)



Well done! I really enjoyed this! Hope you and yours are doing well!

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了